FedRAMP Requirements for Obtaining âIn-Processâ Designation ...
FEDRAMP REQUIREMENTS FOR “IN PROCESS” DESIGNATION ON WWW.FEDRAMP.GOV FOR CLOUD SERVICE OFFERINGS FOR AGENCY AUTHORIZATIONS
Version 2 August 17, 2017
Revision History DATE
VERSION PAGE(S)
DESCRIPTION
AUTHOR
8/17/17
2
2
FedRAMP PMO
PAGE | i
TABLE OF CONTENTS
1. PURPOSE ......................................................................................................................... 1 2. ADDITION OF A CSO TO WWW.FEDRAMP.GOV “IN PROCESS” DESIGNATION ................... 1 3. REMOVAL OF A CSO FROM WWW.FEDRAMP.GOV “IN PROCESS” DESGINATION ............. 1 4. NOTIFICATION ................................................................................................................. 2
PAGE | ii
1. PURPOSE The purpose of this document is to define and detail criteria in order to obtain and revoke the “FedRAMP In Process” designation for Agency authorizations. All Cloud Service Offerings (CSOs) that have successfully achieved the designation as “FedRAMP In Process” will be listed within the FedRAMP Marketplace on fedramp.gov (authoritative source for official FedRAMP designations).
2. ADDITION OF A CSO TO WWW.FEDRAMP.GOV “IN PROCESS” DESIGNATION A CSO shall be designated as “FedRAMP In Process” by the FedRAMP Program Management Office (PMO), and listed within the FedRAMP Marketplace (https://marketplace.fedramp.gov/) once the following criteria are met and validated by the FedRAMP PMO: 1. The FedRAMP PMO must be in receipt of an e-mail from an Agency Authorizing Official (AO) or FedRAMP PMO approved designee stating that they are actively working with the CSP and plan on granting an Authority to Operate (ATO) that meets the FedRAMP requirements within 12 months. Emails from agencies should be sent to: [email protected] AND ONE OF THE FOLLOWING: 1. The agency must provide proof of a contract award for the use of the CSO and the contract must specify a timeline associated with when an ATO meeting the FedRAMP requirements must be achieved. 2. A cloud offering is actively used by an Agency and the Cloud Service Provider (CSP) can demonstrate Agency usage to the FedRAMP PMO. An e-mail from the Agency AO or FedRAMP PMO approved designee stating the product is being used by the Agency will meet this requirement. 3. The CSO achieved “FedRAMP Ready” designation from the FedRAMP PMO. 4. Completion of a formal kick-off meeting with the FedRAMP PMO and Agency present with agreement on: a. A project plan from the CSP that outlines project milestones and schedule associated with the delivery of the authorization deliverables to the Agency and anticipated ATO date. b. An authorization boundary diagram of all services/capabilities that are included within the security authorization package. c. Resources available to support the FedRAMP Authorization from the CSP and Agency; personnel identified as critical to the authorization must to be present at the kick-off meeting.
3. REMOVAL OF A CSO FROM WWW.FEDRAMP.GOV “IN PROCESS” DESGINATION The decision to list a CSO on FedRAMP.gov as “In Process” is ultimately the FedRAMP Director’s. The intention of being listed as “In Process” is to indicate to Federal agencies that a CSO is actively working towards an authorization. If a determination is made that the CSO is not actively working towards an authorization, the FedRAMP Director, at his discretion, may choose to remove a vendor as “In Process” from FedRAMP.gov.
PAGE | 1
Some examples of why a CSO could be removed from the FedRAMP include but are not limited to: 1. The FedRAMP PMO is in receipt of an e-mail from the Agency AO or FedRAMP PMO approved designee, stating they are no longer working with the CSP towards a FedRAMP Authorization. 2. The FedRAMP PMO is in receipt of an e-mail from the CSP stating they are no longer pursuing a FedRAMP Authorization. 3. The CSP or Agency fails to provide timely authorization status associated with ONE of the following conditions: a. The FedRAMP PMO is not in receipt of an Agency ATO for an “In Process” system within 12 months of the initial Agency notification to the FedRAMP PMO. i. The FedRAMP Director shall meet with the CSP and Agency to discuss a resolution. If consensus on the authorization way forward and timeline is achieved, the CSO will remain listed within the FedRAMP Marketplace as “FedRAMP In Process”. b. The CSP or Agency fails to communicate to FedRAMP PMO’s periodic “check-ins”. i. The FedRAMP PMO will request periodic authorization status from the Agency and/or CSP throughout the 12-month authorization window. If the FedRAMP PMO does not receive a response in a timely manner, FedRAMP may remove the CSO from the FedRAMP Marketplace. 4. The FedRAMP Agency ATO package review, performed by the FedRAMP PMO, results in “Send back to Agency” 2 or more times. A copy of the FedRAMP Agency ATO Report Template can be found here: https://s3.amazonaws.com/sitesusa/wpcontent/uploads/sites/482/2016/06/Agency-ATO-Report-Template-Version-2.10-b.pdf 5. The initial Authorizing Agency changes to a different Agency and the FedRAMP PMO is not notified in a timely manner via e-mail.
4. NOTIFICATION If the “FedRAMP In Process” status is revoked, the CSP and Agency POCs will be notified by e-mail. Within 24 hours of the e-mail being sent, the website will be updated.
PAGE | 2
